'Google Cloud Platform - Enforce Multi Factor Authentication (MFA)

What is the proper way to configure / enforce MFA, so that all of the admin accounts in my Google Cloud Platform are required to have MFA configured and enabled? I found some guidance about this topic, but that required logging in each and every admin and checking manually.

google-cloud-platformmulti-factor-authenticationgoogle-2fa


Solution 1:[1]

To set up cloud identity:

Choose between Cloud Identity Free or Cloud Identity Premium. In this link, you can compare both editions.

To create your Cloud Identity account and first admin user using the Setup Wizard:

  • In the About you section, enter your first and last name in the Name field.
  • In the Current email address you use for the work field, enter the email you used to create your prototype project.
  • This email address will be used as a recovery address. It must be different from the address you create below that you'll use as your
    admin account for Cloud Identity.
  • In the About your business section, enter your company name in the Business or organization name field.
  • In the Country/Region field, choose the appropriate country or region from the pulldown list.
  • Click Next to set up your domain.
  • In the Your Cloud Identity Domain window, add the domain you've already purchased for your company. You'll need to verify that you
    own it by creating a specific CNAME record or uploading an html file.
  • In the Create your Cloud Identity account window, enter a username and password. This account is your Cloud Identity administrator
    account and must be different from the email address you entered in
    step 2 above. As a best practice, we recommend that you enter a
    username with the following format: [email protected].

More information about setting up Cloud Identity can be found here.

Multi Factor authentication (MFA) is an important tool in protecting corporate resources. MFA, also called 2-step verification (2SV), requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code).

To deploy a 2-step verification

Step 1: Notify users of 2-Step Verification deployment (required) Before deploying 2-Step Verification, communicate your company’s plans to your users, including:

  • What is 2-Step Verification and why your company is using it
  • Whether 2-Step Verification is optional or required
  • If required, give the date by which users must turn on 2-Step Verification Which 2-Step Verification method is required or
    recommended.

Step 2: Set up basic 2-Step Verification (required) Next, let your users turn on 2-Step Verification. By default, users can turn on 2-Step Verification and use any verification method. (G Suite accounts created before December 2016 have 2-Step Verification turned off by default).

Step 3: Enforce 2-Step Verification (optional) As an administrator, enforcing 2-step verification for your users is an optional step.

Make sure users are enrolled in 2-Step Verification before turning on enforcement. Users who aren’t enrolled can't sign in to their accounts.

Enforcement methods

  • Any—Users can set up any 2-Step Verification method.
  • All except verification codes via text, phone call—Users can set up any 2-Step Verification method except using their phones to receive 2-Step Verification verification codes.
  • Only security key—Users must set up a security key.

More detailed instructions in this link.

If you want to use Text message or phone call as your 2-step verification method, consider:

If you currently allow any 2-Step Verification method, you probably have users who verify only by text and voice call. To avoid locking out these users from their accounts:

Before enforcement takes effect, tell users to start using another 2-Step Verification method. Also, inform them that 2-Step Verification verification codes won't be available on their phones after the enforcement date. Use the login_verification Login Audit activity event to track users who sign in using 2-Step Verification verification codes they receive by text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticated with a text or voice verification code.

In this link, you will find a more detailed guide for the users to activate their 2-step verification method.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ismael Clemente Aguirre

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project